To be honest, securing email is not that hard, unless you want to "manually" set up a structure to check messages for weird stuff.
It's not that complicated, but it's complicated enough that I've seen plenty of people mess it up. And no, it's not just "checking messages for weird stuff". If you think that's all that's involved, then you don't know enough to run a mail server.
Do you know what SSL certificates are, or how to set one up? Do you know how to set up your firewall to allow only the appropriate ports to the Exchange server, and which ports need to be allowed? Do you understand the security implications of allowing incoming traffic to your network? Do you need to set up multiple Exchange servers with different roles, and do you know what the security implications of that would be? Do you know what MX servers are, and how to set it up so that you don't lose incoming email during a server outage? Do you know how to do a proper backup/restore of your Exchange environment, and how to secure those backups both from breach and loss? Do you know if your email system currently has any unpatched vulnerabilities? Do you have a way of mitigating those vulnerabilities? Do you have a good regimen for installing updates and patches, including testing to prevent unforeseen downtime?
Security isn't just about protecting yourself from malicious email.
You can "outsource" an email hygiene service, to handle the inbound of your email, clean it, and deliver it to your own server
Whoa there. I thought we just established that you're unwilling to trust an outside vendor with your email, and now you're planning on routing all of your email through an outside vendor? If I were paranoid enough about my email to refuse to use a hosted provider, I don't think I'd be willing to use a hosted spam filtering service.